From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenSSL: remove ciphers without Forward Secrecy from
 default ciphersuite
Date: Tue, 04 Aug 2020 10:35:24 +0100
Message-ID: <5566292B-281D-4631-B161-CBFD85E09A13@ipfire.org>
In-Reply-To: <108af439-2141-7525-f30a-652822eda6e5@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6706343256143257278=="
List-Id: <development.lists.ipfire.org>

--===============6706343256143257278==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 1 Aug 2020, at 13:13, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
> since they allow content decryption in retrospect, if an attacker is
> able to gain access to the servers' private key used for the
> corresponding TLS session.
>=20
> Since IPFire machines establish very few TLS connections by themselves, and
> destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
> provide support for Forward Secrecy ciphers - some are even enforcing
> them -, it is safe to drop support for anything else.
>=20
> This patch reduces the OpenSSL default cipher list to:
> TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(256) M=
ac=3DAEAD
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DCHACHA20=
/POLY1305(256) Mac=3DAEAD
> TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(128) M=
ac=3DAEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM=
(256) Mac=3DAEAD
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCHACHA=
20/POLY1305(256) Mac=3DAEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM=
(128) Mac=3DAEAD
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(25=
6) Mac=3DAEAD
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCHACHA20/=
POLY1305(256) Mac=3DAEAD
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(12=
8) Mac=3DAEAD
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  =
Mac=3DSHA384
> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamel=
lia(256) Mac=3DSHA384
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA384
> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia=
(256) Mac=3DSHA384
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  =
Mac=3DSHA256
> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamel=
lia(128) Mac=3DSHA256
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia=
(128) Mac=3DSHA256
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCHACHA20/PO=
LY1305(256) Mac=3DAEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(2=
56) Mac=3DSHA256
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
> DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(1=
28) Mac=3DSHA256
> ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Mac=
=3DSHA1
> ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Mac=
=3DSHA1
> ECDHE-RSA-AES256-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA1
> ECDHE-RSA-AES128-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA1
> DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256) M=
ac=3DSHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128) M=
ac=3DSHA1
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> src/patches/openssl-1.1.1d-default-cipherlist.patch | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/src/patches/openssl-1.1.1d-default-cipherlist.patch b/src/patc=
hes/openssl-1.1.1d-default-cipherlist.patch
> index 5ad7829e7..a3a48933e 100644
> --- a/src/patches/openssl-1.1.1d-default-cipherlist.patch
> +++ b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> @@ -5,7 +5,7 @@
>   * This applies to ciphersuites for TLSv1.2 and below.
>   */
> -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> -+# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kR=
SA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> ++# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:!kR=
SA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
>  /* This is the default set of TLSv1.3 ciphersuites */
>  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
>  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> --=20
> 2.26.2


--===============6706343256143257278==--